PatchWork?On Thursday, March 8th, 2001, the United States Federal Bureau of Investigation (FBI) disclosed details of an ongoing investigation into the organized intrusion, by Eastern European hackers, of more than forty, commercial, domestic, web sites.

These attacks were particularly disturbing because, in every case, the Russian hackers were simply exploiting well known and readily preventable vulnerabilities of non-updated versions of Microsoft's Windows NT web serving operating system.

Prior to the FBI's public announcement, I was contacted and asked to quickly create a tool to perform two specific functions for any Internet-connected Windows NT/2000 system:

Rapidly scan the system's mass storage for evidence of files known to be used by hackers for system intrusion and also files implicated in the specific intrusions researched by the FBI.

Analyze the Windows server for the presence of the specific vulnerabilities known to have been exploited by the Russian hackers.

Created in two days, and occupying just 30k bytes after being digitally signed with my secure digital signature, this new and COMPLETELY FREE utility, PatchWork, is ready for your use.

Pursuant to my agreement, PatchWork is being distributed bythe Center for Internet Security and may be immediatelyand easily downloaded directly from their web site:

You can learn about The Center from their web site. You will find a link to their "PatchWork Page" at the top of their site's home page.

What Does PatchWork NOT do?

It is important for you to understand why PatchWork was createdso that you will be able to apply it with maximum effectiveness.

PatchWork was designed from information provided by the FBI. This information was derived from their investigation into a series of directly related and coordinated intrusions into United States eCommerce and eBanking sites. Through this investigation, the FBI determined the "Attack Vectors"  the specific exploits  that were used by remote intruders to gain entry into Windows NT systems.

PATCHWORK ONLY CHECKS FOR AND ADVISES ABOUTTHE PRESENCE OF THESE SPECIFIC VULNERABILITIES.

You must NOT confuse PatchWork with a general-purpose, comprehensive, patch-verification tool  it is not that. Such capability is beyond the scope of the present utility. We believe that if PatchWork gives your computer the "all clear", then that system will be hardened against the specific Internet eCommerce attacks that have been occurring with disturbing frequency. However, by no means should this PatchWork utility be used as a substitute for continuing comprehensive and proactive security measures.

It is our sincere hope that your use of this first simple "PatchWork" tool will help to highlight the need for taking your Internet security seriously. If we are able to help you solve a few security problems today  and surprise you a bit about the very real need for continuing vigilance  this tool will have been a success in our eyes.

Version Historyv1.00  Initial Releasev1.01  Minor Cosmetic Tweak

A paragraph was appended to the end of the file system scan reminding the user that we were only performing a simple file name match and that, consequently, any "hits" should be further researched before any conclusions are reached.

v1.10  Function Enhancements

We were able to obtain the file sizes of all but two known "bad" files. Therefore PatchWork was enhanced to check the suspect file size and to report both a "name match" and a file size match. This will essentially eliminate false positive reports.

We learned that Microsoft's patching tools do not correctly verify the installed version of IIS prior to overwriting. Older versions were therefore being incorrectly "upgraded." PatchWork v1.10 now takes proactive responsibility to make sure all application patches will be safe and correct.

PatchWork's initial MDAC recommendation was warning about unsafe registry keys even if the server's "/msdac" virtual root had been removed or renamed (which prevents the vulnerability). PatchWork now checks this before raising an alert.

PatchWork was creating "option setting" registry entries for itself even when it was run under Windows 9x, for which the program is not intended. That behavior is now suppressed so that there are no registry side effects from running under Win9x.

PatchWork's Digital Signature
Since PatchWork is being downloaded from a server other than mine, and since copies will probably be passed around the Internet quite a bit, users need to have some way to verify that the original program has not been tampered with in any way. For that reason I have "digitally signed" the original PatchWork program with my personal, non-spoofable, cryptographic signature.For instruction on checking the validity of the file's signature, click the link below:

I sincerely hope you find PatchWork to be a useful and effective utility to aid in taking the first steps toward establishing proactive and ongoing management of your enterprise's Internet-connected server security.

Wishing you safe and secure use of the Internet!

Gibson Research Corporation is owned and operated by Steve Gibson. The contentsof this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,NanoProbe, and any other indicated trademarks are registered trademarks of GibsonResearch Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.